Please enable JavaScript.
Coggle requires JavaScript to display documents.
Sabotage Mitigation - Coggle Diagram
Types of Attacks
Application Attack
- CrossiSite Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Cache Bursting: Sending queries that invalidates database cache early (so more load to the database)
Distributed Denial of Service (DDoS)
- SYN Flood, UDP Reflection, DNS Flood, Slow Loris, ...
Default
Route 53
- Malicious attacker's DNS request can be resolved into different ip addresses to prevent further damage to the infrastructure
CloudFront
- The CloudFront cache services the attacker, so the traffic will not be forwarded directly to the internal infrastructure
CloudFront Origin Security
- Prevent users from directly accessing the infrastructure
- CloudFront attache the
X-Origin-Verify header, so WAF can filter the traffics without the header to reach the internal infrastructure
- The value used by the
X-Origin-Verify can be generated by Secrets Manager #
IP blocking
Web Application Filter (WAF)
- WAF can be applied to various services: ALB, CloudFront
Network Access Control List (NACL)
- Prevent/allow ranges of IP addresses to access a VPC
AWS Firewall Manager
- Centrally control all filtering/blocking activity of the organization
- WAF, Shield Advanced, Security Groups, ALB, ENI, VPC, Route 53, Policies at the region
- Rules set here will apply to any new resources created across the organization